Arch Repository Server Security

toru · 2011-09-18 19:30:44

I'm not trying to get everyone in a hissy about package signing, that's not what this post is about. I was wondering what measures are currently being taken to make sure that the main repository server is untampered with.

It is my understanding that the devs are waiting until the next version of pacman to implement someone's idea of adding sha256 hashes to the database. This is going to be for pacman to verify packages. Said person didn't make any patches, the devs ended up making them, yada yada. Kind of pointless if package signing is to be implemented by that point anyway.

Is something stopping the devs from making up a list of sha256 sums and then signing that and putting it out there for the piece of mind of paranoid users such as myself? Is it the fact that these packages aren't fully trusted that makes them not want to do this? If you have a database of trusted packages there are plenty of tools out there already that will make a list of sha256 sums with a simple command. It seems to me like this would up the security greatly with very little work.

Perhaps my idea is flawed, and maybe it's already been said time after time. That brings me back to the original question. What is currently being done to verify the security of these servers? Is it nothing? Or are they being heavily monitored?

wonder · 2011-09-18 19:58:07

we sign our packages since long time ago

toru · 2011-09-18 20:09:58

wonder wrote:

we sign our packages since long time ago

I was under the impression most packages weren't signed yet. Is that not true? Would the unsigned packages pose no threat?

I would like to get to the bottom of this for my own peace of mind.

wonder · 2011-09-18 20:11:06

toru wrote:

wonder wrote:
we sign our packages since long time ago
I was under the impression most packages weren't signed yet. Is that not true? Would the unsigned packages pose no threat?
I would like to get to the bottom of this for my own peace of mind.

we sign them gradually when they are updated.

Allan · 2011-09-18 22:04:16

There is little point in rushing to get these sorts of things done when no-one even checks what is already there... This might not show in the current version of pacman, but many package have:

> pacman -Si glibc
...
MD5 Sum        : 79baa0cbc0a226b11417b293860d5470
SHA256 Sum     : ec042518012a32243a0ac11ec710e83fe687ee5603e0f0056005435810dd5d32
Signatures     : Yes

If people were actually using that information, then it might be worth us spending the time to get it completely done across the repo...

ewaller · 2011-09-18 22:08:04

Allan wrote:

There is little point in rushing to get these sorts of things done when no-one even checks what is already there...

Well, that is a bit of a broad brush, isn't it

Leonid.I · 2011-09-19 22:01:36

ewaller wrote:

Allan wrote:
There is little point in rushing to get these sorts of things done when no-one even checks what is already there...
Well, that is a bit of a broad brush, isn't it

Not necessarily. IIRC linux (kernel26) packages were signed even before pacman 4rc became available. And what's the point of sha256sums then?

@Allan, is that pacman-git? I don't see the "Signatures: " field in pacman 4.0 rc1...

Last edited by Leonid.I (2011-09-19 22:02:18)

Allan · 2011-09-19 22:45:53

Leonid.I wrote:

@Allan, is that pacman-git? I don't see the "Signatures: " field in pacman 4.0 rc1...

Yes.

Arch Linux

#1 2011-09-18 19:30:44

Arch Repository Server Security

#2 2011-09-18 19:58:07

Re: Arch Repository Server Security

#3 2011-09-18 20:09:58

Re: Arch Repository Server Security

#4 2011-09-18 20:11:06

Re: Arch Repository Server Security

#5 2011-09-18 22:04:16

Re: Arch Repository Server Security

#6 2011-09-18 22:08:04

Re: Arch Repository Server Security

#7 2011-09-19 22:01:36

Re: Arch Repository Server Security

#8 2011-09-19 22:45:53

Re: Arch Repository Server Security

Board footer